NTLM 身份验证在 IE 中失败,适用于 Chrome 和 Firefox
NTLM authentication fails with IE, works with Chrome and Firefox
我正在尝试在 int运行et 网络应用程序上使用 NTLM 身份验证。该设置在 Server 2008 R2 上使用 IIS 7.5。
当我导航到页面时,我已经 Windows 为对话框启用身份验证会正确显示并允许我在 Chrome 和 Firefox 中进行身份验证,但 IE 似乎发送了错误的协商令牌.
我假设 IE 只是配置不正确,虽然我已经搜索了所有但无法找出问题所在。
我 运行 Fiddler 和 header 第一次点击页面时从服务器发回的内容如下所示:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 03 Dec 2015 21:49:09 GMT
Content-Length: 6333
Proxy-Support: Session-Based-Authentication
然后当我尝试使用不同的浏览器登录时,响应如下所示。 Firefox 和 Chrome 响应都成功,而 IE 失败。哦,我也试过 IE 11,但也失败了。我假设 header 看起来很相似,但如果有人也想看,我可以提供。
任何关于 IE 问题的想法都将不胜感激。
Firefox 响应服务器:
Host: intranet.gwlisk.com:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Chrome 响应服务器:
Host: intranet.gwlisk.com:81
Connection: keep-alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
IE 响应服务器:
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: intranet.gwlisk.com:81
Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBccEggXDYIIFvwYJKoZIhvcSAQICAQBuggWuMIIFqqADAgEFoQMCAQ6iBwMFACAAAACjggShYYIEnTCCBJmgAwIBBaEMGwpHV0xJU0suQ09NoiYwJKADAgECoR0wGxsESFRUUBsTSU5UUkFORVQuZ3dsaXNrLmNvbaOCBFowggRWoAMCARKhAwIBLKKCBEgEggREiBz3izdz2e6f2QlRDCsMUyiXrIeosQvaD3n9RzikkU2ng01QLltM0IVSiSCp3jb0vF4CyRJ/ANk19hQ9rNiFA9A4PBBWvvK9/FKtedv8fw3wVun0ZUXs0cGwNjAM25gRveWb3GVRwgZWa4/NHVmS6cg3wVXbQtM0izJT4IAQEuuhGHGT6dJvnuEj8rpZn+JWdPBvoVDcMnhAQVvZpT5aDtb94WJNxrpGt+H5BXN4/MV4UNQh9T4fFvhe5yTb3nqaDnhR7p6X2V4ZBDqbNuRh9AtSHQ8IdReE0El41b1kAhbqBAKnFmI3H1mNY/SQUaGisEmNC0ZXz9fZL/f5ig6CLSuNAND97c76UlhAm80yYMXYyk+XxPepczlMziyvL//bbdJ2l9K9EJineQ5UsmsERPp9EXaAwI6IzUxjCJ9e4y6mwQTllAKkvz4QCzI2N5CoMuo5T7fChSOf64WElPR9eez345/NsgAgQm0EqG6CC0WlD1UFIlgdxaPnhaAyFUi+bGxAx5Ih1yiNfsjCBd78sBn4rdnoYmqWpXnJF4xeR5vfhBSONXHwdLvrIXXmXMua+XBo6HhShE/e+3UHZm/S7fRgX8kbuADOjveKb7NEhlPCkWjPoqBbH6vC8nQ7Ul/Nwh4sbQJTTnGOnu5MPMfFNSFq/Ey4cjz300xMGwK9bJlLkcaEeRBG/ehoNeCOxJ8FuJTWP933uCpKsNaQQ+3P3bEeWye7V3srjG2SiFpP/5l04pwagQbCFtabSl1WAp+W8JkCIsc5pJlZKh1FkV+YGzpdPYrlf7q9PimCEESIDl4wGaAJqT2hgHCi15fViAPXFnQDiKwNd3skuHpjKZbt3Od67J3eLm1hjutX+bO5j1aVkFpci/6DEsnUYNOKttFGaEeyGy/3urEpI3rPWvpdLCgnueplkdf/ay9I58adCaF8DnW9uQ7s9SrhXL5PyMY1mWjeyl5/kKKAHEWXX1TgaPXVjt/pwJ861dTiXkryzpNE26IGjvvXpa7ixfCW+8Z8JDRQPhRiq56AvgMo3M05IBaLBLRfUDJ8Q9+UMIUNx+GLosfXgtqUQnfcX5oAVagXX4ejk3kX0ci8DS2wJBic9VZToFcKD3tG6tT2WKA3AX+++yk95UMQQSDBeJVBb2dgVM0ee1Ks2qFsMin4I7+DxAGvaPol3JN3EMA+qcufvu9EdYTKGdbyMCBD4qCECpPkDyF8ffdCrzBYj11mzMHG1OG926jhkZqBV0ZsJg22DorxHK6P+ZiU519JxwC/cxOR8R3MrutnuR+umuwEWzNdN0TdjvADLpLKlz0bsUfr5Hrphfg1/5HlHTIcYYWtW+9tcrpf7Pz+cEZLlFXaWcz6z/epUISwYOZt0rMDmi7GyVKGxQ8uyTQVq6szvv3la8olfzQhaI22jgXyuTotDobf9yDQxNyo4aR6jgJmQik7uojhbpEBpIHvMIHsoAMCARKigeQEgeHuXoC4DBkyyg7aiwf79OzunlBTFj/PXwyFXev5e5goqYbQIbNiXXRktrXZOMqZFqdVeMLSkfHfxTazso1tdjSrQT4mtIlLQ9SO+azMCvKnVrYjF/NMCZ3ePb/vjvPrlZh1r/9Nupce5HSDe+6upM8aYkC6+nCKHOC4ykiCWUZhFkdXERU+3L6C1IaL+PgU3yeD6ri+SVbYVUNw3cTR/luR6BZef66A4Ga7uOYgXCd/d4CxS6PIg5VqYZLqHkSLK8UbvwUQuN/XWLR5wpGZr3DRgZ0+ZT6lVUansy8ab8VxkSk=
似乎 IE 在这里传递的令牌是 Kerberos 令牌而不是 NTLM 令牌(如果我的术语正确的话)。我通过删除实现 Kerberos 身份验证的协商提供程序解决了这个问题,现在一切正常。
Remove NEGOTIATE from WindowsAuthentication in IIS
我正在尝试在 int运行et 网络应用程序上使用 NTLM 身份验证。该设置在 Server 2008 R2 上使用 IIS 7.5。
当我导航到页面时,我已经 Windows 为对话框启用身份验证会正确显示并允许我在 Chrome 和 Firefox 中进行身份验证,但 IE 似乎发送了错误的协商令牌.
我假设 IE 只是配置不正确,虽然我已经搜索了所有但无法找出问题所在。
我 运行 Fiddler 和 header 第一次点击页面时从服务器发回的内容如下所示:
HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 03 Dec 2015 21:49:09 GMT
Content-Length: 6333
Proxy-Support: Session-Based-Authentication
然后当我尝试使用不同的浏览器登录时,响应如下所示。 Firefox 和 Chrome 响应都成功,而 IE 失败。哦,我也试过 IE 11,但也失败了。我假设 header 看起来很相似,但如果有人也想看,我可以提供。
任何关于 IE 问题的想法都将不胜感激。
Firefox 响应服务器:
Host: intranet.gwlisk.com:81
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Chrome 响应服务器:
Host: intranet.gwlisk.com:81
Connection: keep-alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
IE 响应服务器:
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: intranet.gwlisk.com:81
Authorization: Negotiate YIIGDQYGKwYBBQUCoIIGATCCBf2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBccEggXDYIIFvwYJKoZIhvcSAQICAQBuggWuMIIFqqADAgEFoQMCAQ6iBwMFACAAAACjggShYYIEnTCCBJmgAwIBBaEMGwpHV0xJU0suQ09NoiYwJKADAgECoR0wGxsESFRUUBsTSU5UUkFORVQuZ3dsaXNrLmNvbaOCBFowggRWoAMCARKhAwIBLKKCBEgEggREiBz3izdz2e6f2QlRDCsMUyiXrIeosQvaD3n9RzikkU2ng01QLltM0IVSiSCp3jb0vF4CyRJ/ANk19hQ9rNiFA9A4PBBWvvK9/FKtedv8fw3wVun0ZUXs0cGwNjAM25gRveWb3GVRwgZWa4/NHVmS6cg3wVXbQtM0izJT4IAQEuuhGHGT6dJvnuEj8rpZn+JWdPBvoVDcMnhAQVvZpT5aDtb94WJNxrpGt+H5BXN4/MV4UNQh9T4fFvhe5yTb3nqaDnhR7p6X2V4ZBDqbNuRh9AtSHQ8IdReE0El41b1kAhbqBAKnFmI3H1mNY/SQUaGisEmNC0ZXz9fZL/f5ig6CLSuNAND97c76UlhAm80yYMXYyk+XxPepczlMziyvL//bbdJ2l9K9EJineQ5UsmsERPp9EXaAwI6IzUxjCJ9e4y6mwQTllAKkvz4QCzI2N5CoMuo5T7fChSOf64WElPR9eez345/NsgAgQm0EqG6CC0WlD1UFIlgdxaPnhaAyFUi+bGxAx5Ih1yiNfsjCBd78sBn4rdnoYmqWpXnJF4xeR5vfhBSONXHwdLvrIXXmXMua+XBo6HhShE/e+3UHZm/S7fRgX8kbuADOjveKb7NEhlPCkWjPoqBbH6vC8nQ7Ul/Nwh4sbQJTTnGOnu5MPMfFNSFq/Ey4cjz300xMGwK9bJlLkcaEeRBG/ehoNeCOxJ8FuJTWP933uCpKsNaQQ+3P3bEeWye7V3srjG2SiFpP/5l04pwagQbCFtabSl1WAp+W8JkCIsc5pJlZKh1FkV+YGzpdPYrlf7q9PimCEESIDl4wGaAJqT2hgHCi15fViAPXFnQDiKwNd3skuHpjKZbt3Od67J3eLm1hjutX+bO5j1aVkFpci/6DEsnUYNOKttFGaEeyGy/3urEpI3rPWvpdLCgnueplkdf/ay9I58adCaF8DnW9uQ7s9SrhXL5PyMY1mWjeyl5/kKKAHEWXX1TgaPXVjt/pwJ861dTiXkryzpNE26IGjvvXpa7ixfCW+8Z8JDRQPhRiq56AvgMo3M05IBaLBLRfUDJ8Q9+UMIUNx+GLosfXgtqUQnfcX5oAVagXX4ejk3kX0ci8DS2wJBic9VZToFcKD3tG6tT2WKA3AX+++yk95UMQQSDBeJVBb2dgVM0ee1Ks2qFsMin4I7+DxAGvaPol3JN3EMA+qcufvu9EdYTKGdbyMCBD4qCECpPkDyF8ffdCrzBYj11mzMHG1OG926jhkZqBV0ZsJg22DorxHK6P+ZiU519JxwC/cxOR8R3MrutnuR+umuwEWzNdN0TdjvADLpLKlz0bsUfr5Hrphfg1/5HlHTIcYYWtW+9tcrpf7Pz+cEZLlFXaWcz6z/epUISwYOZt0rMDmi7GyVKGxQ8uyTQVq6szvv3la8olfzQhaI22jgXyuTotDobf9yDQxNyo4aR6jgJmQik7uojhbpEBpIHvMIHsoAMCARKigeQEgeHuXoC4DBkyyg7aiwf79OzunlBTFj/PXwyFXev5e5goqYbQIbNiXXRktrXZOMqZFqdVeMLSkfHfxTazso1tdjSrQT4mtIlLQ9SO+azMCvKnVrYjF/NMCZ3ePb/vjvPrlZh1r/9Nupce5HSDe+6upM8aYkC6+nCKHOC4ykiCWUZhFkdXERU+3L6C1IaL+PgU3yeD6ri+SVbYVUNw3cTR/luR6BZef66A4Ga7uOYgXCd/d4CxS6PIg5VqYZLqHkSLK8UbvwUQuN/XWLR5wpGZr3DRgZ0+ZT6lVUansy8ab8VxkSk=
似乎 IE 在这里传递的令牌是 Kerberos 令牌而不是 NTLM 令牌(如果我的术语正确的话)。我通过删除实现 Kerberos 身份验证的协商提供程序解决了这个问题,现在一切正常。
Remove NEGOTIATE from WindowsAuthentication in IIS